NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Solved
MannyElPollo
Here to help

NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Hey All,

 

Just wanted to post here and see if anyone ran into this before while running firmware v18.2xxx version

 

Currently have a NON-MERAKI S2S VPN tunnel configured using "IKEv1"

We're translating a /23 subnet to a single /32 

MannyElPollo_0-1724419402778.png


So that any clients on the /23 show up as a single host (whitelisted on vendor end)

 

All this works properly on firmware v18.1xxx, however whenever we upgrade to v18.2xxx randomly some clients would be able to access the remote host (specifically port 443/https) and some others WILL NOT -no common denominator- almost like if Meraki is NOT translating the full /23 subnet properly... weird part is ICMP/PINGS work properly (strange)

 

Anyways for now we have rolled back to v18.1xxx and confirmed tunnel working no issues both ICMP/PINGS and more importantly port 443/https traffic

 

Let me know thoughts 🙂 maybe I shall submit it as a "bug"

 

Thanks!

 

1 Accepted Solution
JonnyM
Getting noticed

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

View solution in original post

6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

NMVPN is really hard to troubleshoot on it's own. I highly suggest to involve Support on that one

MannyElPollo
Here to help

Yea- engaged them and one thousand packet captures later....

 

ONLY FIX was roll back to "v18.1xxx" which fixed issue- 

 

xD

jimmyt234
Building a reputation

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

MannyElPollo
Here to help


@jimmyt234 wrote:

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation


 

Noted- seems like a "basic" functionality a firewall would have...🤔 (subnet translation)

 

hey at least it works 🙂

JonnyM
Getting noticed

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

MannyElPollo
Here to help

Marked as solution-

 

10000% agree; for some of our most advanced deployments we even reverted to virtual NETGATE appliances for VPN tunnels

Get notified when there are additional replies to this discussion.